VSR Security Advisory
http://www.vsecurity.com/
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Advisory Name: VMware Tools Multiple Vulnerabilities
Release Date: 2011-06-03
Application: VMware Guest Tools
Severity: High
Author: Dan Rosenberg
Vendor Status: Patch Released [2]
CVE Candidate: CVE-2011-1787, CVE-2011-2145, CVE-2011-2146
Reference: http://www.vsecurity.com/resources/advisory/20110603-1/
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Product Description
-------------------
From [1]:
"VMware Tools is a suite of utilities that enhances the performance of the
virtual machine's guest operating system and improves management of the
virtual machine. Without VMware Tools installed in your guest operating
system, guest performance lacks important functionality."
Vulnerability Overview
----------------------
On February 17th, VSR identified multiple vulnerabilities in VMware Tools, a
suite of utilities shipped by VMware with multiple product offerings, as well
as by open-source distributions as the open-vm-tools package. The first of
these issues results in a minor information disclosure vulnerability, while the
second two issues may result in privilege escalation in a VMware guest with
VMware Tools installed.
Product Background
------------------
VMware Tools includes mount.vmhgfs, a setuid-root utility that allows
unprivileged users in a guest VM to mount HGFS shared folders. Also shipped
with VMware Tools is vmware-user-suid-wrapper, a setuid-root utility which
handles initial setup to prepare for running vmware-user, which grants users
access to other utilities included with VMware Tools.
Vulnerability Details
---------------------
CVE-2011-2146:
The mount.vmhgfs utility makes a call to stat() to check for the existence and
type (file, directory, etc.) of the user-supplied mountpoint, and provides an
error message if the provided argument does not exist or is not a directory.
Because mount.vmhgfs is setuid-root, a local attacker can leverage this
behavior to identify if a given path exists in the guest operating system and
whether it is a file or directory, potentially violating directory permissions.
CVE-2011-1787:
The mount.vmhgfs utility checks that the user-provided mountpoint is owned by
the user attempting to mount an HGFS share prior to performing the mount.
However, a race condition exists between the time this checking is performed
and when the mount is performed. Successful exploitation allows a local
attacker to mount HGFS shares over arbitrary, potentially root-owned
directories, subsequently allowing privilege escalation within the guest.
CVE-2011-2145:
The vmware-user-suid-wrapper utility attempts to create a directory at
/tmp/VMwareDnD. Next, it makes calls to chown() and chmod() to make this
directory root-owned and world-writable. By placing a symbolic link at the
location of this directory, vmware-user-suid-wrapper will cause the symbolic
link target to become world-writable, allowing local attackers to escalate
privileges within the guest. Only FreeBSD and Solaris versions of VMware Tools
are affected.
Versions Affected
-----------------
VMware's advisory [2] indicates the following product versions are affected:
VMware Product Running Replace with/
Product Version on Apply Patch
========= ======== ======= =================
vCenter any Windows not affected
Workstation 7.1.x Linux 7.1.4 or later*
Workstation 7.1.x Windows 7.1.4 or later*
Player 3.1.x Linux 3.1.4 or later*
Player 3.1.x Windows 3.1.4 or later*
AMS any any not affected
Fusion 3.1.x OSX Fusion 3.1.3 or later*
ESXi 4.1 ESXi ESXi410-201104402-BG*
ESXi 4.0 ESXi ESXi400-201104402-BG*
ESXi 3.5 ESXi ESXe350-201105402-T-SG*
ESX 4.1 ESX ESX410-201104401-SG*
ESX 4.0 ESX ESX400-201104401-SG*
ESX 3.5 ESX ESX350-201105406-SG*
ESX 3.0.3 ESX not affected
The open-vm-tools package prior to version 2011.02.23-368700 is also affected.
Vendor Response
---------------
The following timeline details VMware's response to the reported issue:
2011-02-17 VMware receives initial vulnerability report
2011-02-17 VMware security team acknowledges receipt
2011-03-04 VMware provides status update
2011-03-04 VSR initiates discussion of disclosure date
2011-03-10 VMware responds, indicates internal coordination underway
2011-03-11 VSR acknowledges response
2011-03-15 VMware indicates internal coordination still ongoing
2011-03-15 VSR acknowledges response
2011-03-20 VMware proposes disclosure date of late Q3
2011-03-21 VSR agrees to disclosure date
2011-03-30 VMware provides status update
2011-04-28 VMware provides status update
2011-05-05 VMware provides status update
2011-05-06 VSR acknowledges receipt of status updates
2011-06-03 Coordinated disclosure
VMware's advisory may be obtained at:
http://www.vmware.com/security/advisories/VMSA-2011-0009.html
Recommendation
--------------
Apply VMware-supplied updates to affected products, or download
distribution-supplied security updates if using the opem-vm-tools package.
Common Vulnerabilities and Exposures (CVE) Information
------------------------------------------------------
The Common Vulnerabilities and Exposures (CVE) project has assigned the numbers
CVE-2011-1787, CVE-2011-2145, and CVE-2011-2146 to these issues. These are
candidates for inclusion in the CVE list (http://cve.mitre.org), which
standardizes names for security problems.
Acknowledgements
----------------
Thanks for VMware for their prompt response, frequent status updates, and fix.
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
References:
1. Overview of VMware Tools
http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=340
2. VMSA-2011-0009
http://www.vmware.com/security/advisories/VMSA-2011-0009.html
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
This advisory is distributed for educational purposes only with the sincere
hope that it will help promote public safety. This advisory comes with
absolutely NO WARRANTY; not even the implied warranty of merchantability or
fitness for a particular purpose. Virtual Security Research, LLC nor the author
accepts any liability for any direct, indirect, or consequential loss or damage
arising from use of, or reliance on, this information.
See the VSR disclosure policy for more information on our responsible disclosure
practices:
http://www.vsecurity.com/company/disclosure
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Copyright 2011 Virtual Security Research, LLC. All rights reserved.